Summary
With high-level automated driving (HAD), the driver can engage in tasks unrelated to driving. In the event of a system failure, it is reasonable for the driver to regain control of the autonomous vehicle (AV). Improper system understanding may induce driver misuse and may result in vehicle-level hazards. The ISO 21448 Standard for Safety of Intended Functions (SOTIF) defines misuse as a driver using a system in a way that the system manufacturer does not intend. Foreseeable misuse (FM) means expected misuse of the system based on the best understanding of system design and driver behavior. This is the underlying motivation for proposing simulation-based FM testing. A key challenge is to perform simulation testing of SOTIF-related misuse scenarios. The Lateral Navigation Assist System (TGAS) is modeled for HAD. In this paper TGAS is referred to as the "system" and the driver is the human operator of the system. This article focuses on implementing a driver-vehicle interface (DVI) that allows interaction between the driver and the system. Derived misuse scenarios are implemented and tested using a driving simulator to ensure the rational use of the system by providing the driver with clear information about the function and status of the system, allowing the driver to perceive, understand and act on the information conveniently.
1 Introduction
In HAD, longitudinal and lateral vehicle guidance is controlled by the system. However, when the system reaches its operating limits, the human driver (HD) (referred to as a backup user in the SAE J3016 classification) needs to regain driving control within a reasonable amount of time. Whenever the system is unable to handle a situation within its operational design domain (ODD), the system issues a takeover request (TOR) as a notification, instructing the HD to perform the driving task immediately.
Transitions in autonomous driving (AD) are the processes and phases that transfer responsibility and driving control between HD and systems. A transition can be the activation or deactivation of a function, or a change from one driving state to another. According to the SAE J3016 taxonomy, the driver has no active role or driving responsibility when the system is operating within its ODD. Engaging in tasks unrelated to driving keeps the driver out of the loop, which can lead to misuse when returning to manual driving (MD) in a takeover situation.
To ensure a smooth transition from AD to MD, TOR must be presented through a well-designed interface. Therefore, it is imperative to study the impact of driver-vehicle interface (DVI) design on the interaction between the driver and the system, abbreviated as driver-system interaction (DSI), so that the driver can regain control of the HAD while deterring misuse . Figure 1 depicts a graphical representation of the driver's interaction with the system, as well as the incorporation of interface aspects with an automated vehicle (AV). One of the key topics in the SOTIF standard is FM, which is an important ergonomic consideration. It should be noted that this paper focuses on the driver's FM and, as part of the test, considers human factors during HAD transitions, not the other way around.
Figure 1: Integration of driver with system and AV: interaction and interface
The FM factors considered in this paper are driver's identification and judgment. Therefore, the driver's misidentification and misjudgment are the cause of FM. The aforementioned factors and reasons mentioned in this article are referred to as human misuse process and guide words in the informative annex B of ISO 21448. Misidentifications are similar to perception errors, where the driver's perception of the environment differs from reality. A miscalculation is similar to a wrong decision, where the driver decides to take an incorrect action in a given situation.
Section 2 of this paper deals with the description of abuse scenarios related to SOTIF. Section 3 outlines strategies for implementing simulation-based FM testing. Section 4 presents the implementation using a driving simulator and details the results. Finally, Section 5 presents concluding observations.
2. Misuse scenarios related to SOTIF
SOTIF-related misuse scenarios can be deduced from acquired knowledge and brainstorming. Methods for systematically deriving SOTIF-related misuse scenarios to support system safety analysis are provided in ISO 21448. The scenario derivation shown in Figure 2 exposes the driver to a situation requiring lateral guidance, which is formed by the ego vehicle's lateral and longitudinal maneuvers in a highway environment. The ego vehicle in this paper is defined as an AV equipped with TGAS. The whole scene is divided into three operations:
– Changing from the right lane to the left lane
– Overtaking from the left lane
– Changing from the left lane to the right lane
Figure 2: Expressway Lane Changing Scene
Table 1 outlines the derived SOTIF-related misuse scenarios considered in this paper, in line with the example approach given in Annex B of ISO 21448. The DSI affecting the vehicle-level hazard associated with FM, namely lane departure, was considered to derive a misuse scenario associated with SOTIF. Takeover is defined as the transfer of driving control between the human driver (HD) and the system. Understeer means that the driver fails to provide enough steering input to the ego vehicle to follow the lane.
Table 1: Description of SOTIF-related misuse scenarios
3. Simulation-based testing
The strategy described in Figure 3 describes, in systematic order, the steps to perform simulation-based testing for the SOTIF-related misuse scenarios described in Table 1. According to the description given in Section 2, scenarios and operations are modeled using IPG CarMaker. TGAS performs AD for the ego vehicle by providing lateral and longitudinal control in the modeled scene. When the system reaches its operating limit, it notifies the driver by issuing TOR. In HAD, it is not mandatory for the driver to take over at the operational limit and corresponding TOR. The system is expected to remain active until the driver is able to regain control.
Figure 3: Simulation-based testing
The driver may not be able to take over driving control within the specified takeover time, and the FM is expected, attributing the wrong capability to the system. This could cause the vehicle to stray from its lane, which is treated as a vehicle-level hazard. In the event of TOR, the driver does not take over the driving task and the system transitions to AD with reduced functionality. The system then performs a minimum risk maneuver (MRM) to keep the ego car in its lane and automatically pulls the ego car over to the side of the road in a safe manner. Drivers may be asked to take over when the MRM ends.
4. Implementation and results
Simulation-based testing is conducted using a driving simulator, shown in Figure 4, which allows the driver to control the ego vehicle in a simulated test environment.
Figure 4: Driving Simulator
The driving simulator is equipped with hardware tools (Logitech G29 - steering wheel, pedals, gearbox) integrated with simulation tools (IPG Car Maker). Use a driving simulator to determine how drivers respond to possible driving situations including operational limitations and system failures. The driver-vehicle interface (DVI) shown in Figure 5 is designed to integrate the interaction between the driver and the system. The DVI design is consistent with the provided design guidelines.
Figure 5: Implementation of the Driver Vehicle Interface (DVI)
Based on literature research on the design of automatic takeover requests in HAD, from different aspects such as procedure, time and mode, TOR is prompted by a combination of audible alarm and visual notification on the designed DVI. HD takes over driving controls by pressing buttons on the steering wheel of the driving simulator. It is conceivable that HD could be involved in FM, especially if HD is confident that HAD is operating virtually flawlessly, capable of taking safe driving maneuvers to prevent vehicle-level hazards in the driving environment.
A limitation of the current implementation is the use of static driving simulators, where the kinematic haptics cannot be experienced. However, an implemented DVI makes it easier to keep the driver's workload at an acceptable level by providing the driver with synchronized audible alerts and visual notifications, as well as supporting information about system functionality and operating status.
5. Conclusions and future work
Allows the human driver (HD) to engage in non-driving-related tasks while driving with highly automated driving (HAD). A higher probability of system misuse is expected. This paper provides an overview of the SOTIF-related misuse scenarios described in the SOTIF standard and the concept of foreseeable misuse (FM), and demonstrates an example simulation-based FM test strategy for implementing system-initiated HD and switching between systems . It should be noted that the implementations shown in Section 4 are intended to demonstrate a simulation-based approach to FM testing, and are not specific to unique or optimal measures for FM mitigation. The importance of this paper is that it increases the understanding of the factors and causes that affect FM by combining the concepts of DVI and DSI and applying it to misuse scenarios related to SOTIF.
The basic premise is to consolidate and manage all driver and system interactions. A simulation-based testing approach was applied to investigate drivers' factors contributing to FM and mitigate their causes. This article briefly describes the combination of DSI and DVI to address FM, but has not yet been evaluated. Considering the various aspects of HD takeover in HAD, the next step in future work will be to characterize and quantify DSI. Analyzing system specifications for inappropriate driver interactions was a brainstorming task. Yet another possible analytical approach is systems-theoretic process analysis (STPA), which aims to identify hazardous interactions without system failure. Future work is recommended to identify factors affecting FM via STPA, as well as mitigation measures for the described SOTIF-related misuse scenarios to prevent FM. An application of the proposed method is to show how the concepts of DVI and DSI are interrelated with FM. Recommendations can be made on how DVI design, TOR presentation, inappropriate driver-system interaction can be employed to address risk challenges that could affect HAD functionality.